我们最近迁移到了 Samba 4.4.16(从 3.5.15)。
我们的配置包含许多仅具有组访问权限(@group 或 +group)的共享,这些共享映射到 unix 组。以下是配置的摘录:
[global]
bind interfaces only = yes
interfaces = lo eth0
netbios name = OURSERVER
server string = Office Intranet (OURSERVER) Server Version %v
workgroup = WORKGROUP
domain master = yes
preferred master = yes
os level = 34
dns proxy = no
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
nmbd bind explicit broadcast = No
printcap name = cups
name resolve order = wins hosts
passdb backend = tdbsam:/etc/samba/passdb.tdb
obey pam restrictions = yes
passwd chat debug = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
security = user
encrypt passwords = yes
map to guest = Bad User
wins support = Yes
idmap config * : backend = tdb
cups options = raw
use client driver = Yes
hosts allow = 127.0.0.1 192.168.0.0/24
case sensitive = no
invalid users = root
username map script = /bin/echo
restrict anonymous = 2
[homes]
comment = Home Directories
path = /data/home/%u
hide files = /.*/
veto files = /.*/lost+found/bin/httpd/public/.vacation.*/.forward/
follow symlinks = No
create mask = 0755
read only = No
[Stuff]
comment = All your base are belong to us
path = /data/shares/stuff
hide files = /.*/
veto files = /.*/lost+found/bin/httpd/public/.vacation.*/.forward/
follow symlinks = No
access based share enum = Yes
create mask = 0770
directory mask = 0770
force group = entitled
force user = docman
read only = No
valid users = @entitled
这适用于smbclient -L OurServer:
$ smbclient -L OURSERVER
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\funster's password:
Domain=[OURSERVER] OS=[Windows 6.1] Server=[Samba 4.4.16]
Sharename Type Comment
--------- ---- -------
homes Disk Home Directories
funster Disk Home Directories
Stuff Disk All your base are belong to us
IPC$ IPC IPC Service (Office Intranet (OURSERVER) Server Version 4.4.16)
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
但在 Nautilus 上却不行smbtree,因为它们默认都不要求输入密码:
$ smbtree
WORKGROUP
\\OURSERVER Office Intranet (OURSERVER) Server Version 4.4.16
然而:
$ smbtree -Ufunster%p4ssw0rd
WORKGROUP
\\OURSERVER Office Intranet (OURSERVER) Server Version 4.4.16
\\OURSERVER\funster Home Directories
\\OURSERVER\IPC$ IPC Service (Office Intranet (OURSERVER) Server Version 4.4.16)
\\OURSERVER\homes Home Directories
\\OURSERVER\Stuff All your base are belong to us
如果没有restrict anonymous = 2,则允许匿名登录,但 Nautilussmbtree仅显示homes共享尽管其他的都可以直接访问。
我怎样才能强制 Nautilussmbtree要求输入密码以便它能够看到群组共享?
答案1
正如所指出的@罗伯特·里德尔 评论这smbtree 的手册页明确表示-N --no-pass交换机将抑制正常的密码请求。
我想到的可能性和解决方案如下。
1) 可能已设置别名,smbtree您可以使用命令检查alias | grep smbtree,如果得到类似alias smbtree='smbtree -N'或的输出,alias smbtree='smbtree --nopass'您可以使用命令删除别名unalias smbtree
2)你发现了一个错误,并且应该报告。以便开发人员可以将其压缩。
3)据我所知,发生这种情况的唯一另一种方式是将某个部分指定为客户服务在 smb.conf 中,使用guest ok = yes共享配置中的行。请参阅相关手册页
If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.
This parameter nullifies the benefits of setting restrict anonymous = 2
See the section below on security for more information about this option.
Default: guest ok = no
解决此问题的方法是将其guest ok = yes从共享配置中删除,以便其恢复为默认值。
如果您猜测这与小组任务有关:
如果还设置了强制用户参数,则强制组中指定的组将覆盖强制用户中设置的主要组。
force group (S)
这指定了一个 UNIX 组名,该组名将被指定为所有连接到此服务的用户的默认主要组。
这对于共享文件非常有用,因为它可以确保对服务上文件的所有访问都将使用命名组进行权限检查。因此,通过为该组分配此服务内文件和目录的权限,Samba 管理员可以限制或允许共享这些文件。
在 Samba 2.0.5 及更高版本中,此参数以以下方式扩展了功能。如果此处列出的组名前面有“+”字符,则当前访问共享的用户只有在已被指定为该组成员的情况下才会将主组默认分配给该组。这允许管理员决定只有已属于特定组的用户才能创建将组所有权设置为该组的文件。这提供了更精细的所有权分配粒度。例如,设置 force group = +sys 意味着只有已属于组 sys 的用户在访问此 Samba 共享时才会将其默认主组分配给 sys。所有其他用户将保留其普通主组。
Default: force group =
Example: force group = agroup
要深入了解桑巴舞,请访问这里。
资料来源:
http://manpages.ubuntu.com/manpages/trusty/man1/alias.1posix.html
http://manpages.ubuntu.com/manpages/xenial/man1/unalias.1posix.html
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html